Some IPv6 routing woes

[vh]

Hi there,

This is a very primitive question, but I can’t seem to find a way out: My hosting service has granted me a /64 block for my FreeBSD box (go figure why, I don’t need zillions of aliases…). Now, the default router I must use is *not* located in that block, but has another prefix.

If I add a manual route like this:
# route add -inet6 -host router_address -interface ix0

and then I do:
# route add -inet6 default router_address

It does not work: ping6(8) to any host fails yelling 'operation not permitted'.

When I examine the output of netstat -rn, I find that the route to the default router is shown as using the ARP address of the ethernet adapter rather than, e.g., ‘link#3’.

Does anybody know how I should configure the routing tables to get it work?

Thanks a lot!
Vincent

 

[SirDice]

My hosting service has granted me a /64 block for my FreeBSD box (go figure why, I don’t need zillions of aliases…).

They gave me a /48 :e


Try this one:
# route add -inet6 default -iface ix0

 

[vh]

They gave me a /48 :e

Well, Apple and HP got /8 at the beginning of IPv4. Now, as I wrote somewhere, they will sell it back, and get zillions of dollars… just because the IANA was so short sighted.

Try this one:
# route add -inet6 default -iface ix0

Ok, I will. Thanks for the hint.
Vincent

 

[kpa]

If you have just one machine that is not a router you can't use the /64 block, it's meant to be assigned to another interface that is connected to a local LAN network.

Giving a /64 to customers may seem excessive but it's the only way to get autoconfiguration working in IPv6, the host part must be 64 bits. Even with /48s there are almost 2^48 *) different network prefixes to choose from and that's a hell a lot.

*) May be less because there a quite a few reserved prefixes but it's still way more than 2^32.

 

[throAU]

I've got a /56 at home (Internode). As above, it's more to do with ease of configuration rather than needing the IP address space for home.

Even point to point links in IPv6 use /64.

The IPv6 address space is so un-imaginably huge that it doesn't matter, and makes things simpler.

Still, it does feel wasteful having 4 billion IPv4 internet's worth of address space (or more) for home.

 

[kpa]

There's also what is called the IPv6 privacy extensions. If they are turned on your machine can choose a random address from the pool of 2^64 addresses (from the /64 prefix the router advertises) every time it connects to a network anywhere in the world. This effectively trumps any attempts to track your internet use based on IP address.

 

[gkontos]

There's also what is called the IPv6 privacy extensions. If they are turned on your machine can choose a random address from the pool of 2^64 addresses (from the /64 prefix the router advertises) every time it connects to a network anywhere in the world. This effectively trumps any attempts to track your internet use based on IP address.

This is debatable because all of those IP addresses will belong to the same /64 subnet. If I want to track the activity of a home user and I know that you are using IPv6 I will track your subnet and not your IP address.

 

[kpa]

This is debatable because all of those IP addresses will belong to the same /64 subnet. If I want to track the activity of a home user and I know that you are using IPv6 I will track your subnet and not your IP address.

Yes if you put that way but if the /64 is owned by an ISP and the addresses are handed out to their customers it's no longer possible to track anyone who uses the privacy extensions. In this scenario the users would not get any additional /64 or larger routed subnets, all they would get is the addresses assigned to the single interface of their host using autoconfiguration.

Also think of situation where you're using other networks, not just your home network. If you were using just the plain stateless autoconfiguration your host part of the address that is derived from the mac address would be the same in every network and you could tracked based on that. With the privacy extensions your host part is random every time you visit a new network and tracking is no longer possible.

 

[gkontos]

Yes if you put that way but if the /64 is owned by an ISP and the addresses are handed out to their customers it's no longer possible to track anyone who uses the privacy extensions. In this scenario the users would not get any additional /64 or larger routed subnets, all they would get is the addresses assigned to the single interface of their host using autoconfiguration.

Actually ISPs should provide a /64 as a minimal to every client I think. I know it sounds scary but if I am not mistaken the original plans were for /56 as a standard and a /48 to an organization.
Anyway, I don't disagree with you regarding the privacy extensions and I think that unless you need a static IP they should be used.

Also think of situation where you're using other networks, not just your home network. If you were using just the plain stateless autoconfiguration your host part of the address that is derived from the mac address would be the same in every network and you could tracked based on that. With the privacy extensions your host part is random every time you visit a new network and tracking is no longer possible.

You are right in that matter and I think this is the most dangerous part. I can understand that for link local it makes sense but it is very dangerous for public IPs.

 

[kpa]

Correct me if I'm wrong but I believe you need a static IPv6 address on your router's WAN interface for additional routed subnets.

 

[gkontos]

Correct me if I'm wrong but I believe you need a static IPv6 address on your router's WAN interface for additional routed subnets.

I am currently using a FreeBSD box as a router / firewall, connecting over ppp to my ISP.

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
	options=80000<LINKSTATE>
	inet x.x.x.x --> 62.103.129.45 netmask 0xffffffff 
	inet6 fe80::a12a:e398:a32a:e399%tun0 prefixlen 64 scopeid 0xa 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

And the routing table:

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           fe80::215:c7ff:fed0:841b%tun0 UGS        tun0
::1                               link#8                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2a02:xxx:xxxx:2c00::/64           link#6                        U           re0

This box has another interface where I have assigned a /64 subnet from the /56 subnet that my ISP has provided me with.

bge0 is the external interface which binds to tun0

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
	ether 00:13:21:cc:39:35
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active

re0 is the internal interface that has been assigned with the /64 subnet.

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 64:70:02:00:65:72
	inet 10.10.10.4 netmask 0xffffff00 broadcast 10.10.10.255
	inet6 fe80::6670:2ff:fe00:6572%re0 prefixlen 64 scopeid 0x6 
	inet6 2a02:xxx:xxxx:2c00::2093 prefixlen 64 
	inet 10.10.10.6 netmask 0xffffffff broadcast 10.10.10.6
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active

 

[kpa]

I was thinking of a native IPv6 set up where the WAN connection is a plain ethernet connection and the router advertisements are coming from ISP's router. In such a case you couldn't have additional routed subnets unless you have a static IP address.

PPPoE is quite rare here in Finland. Most common type of connection is ADSL with ethernet traffic encapsulated in the ATM connection and IP addresses assigned directly with DHCP. That's why I didn't think of the possibility of forwarding the routes over a PPP link.